[cap-talk] Capabilities giving up control? (was: Re: A paper on web-keys)

[Toby Murray]

Jed, and others who believe that non-delegatable authorities can have no
use in security:

Why does your drivers' license have your photo on it?

Why does your passport have your photo on it?

These are authorities that are bound to your identity such that you
cannot delegate them to anyone else in a useful manner. You can hand
your passport to someone else but they cannot usefully use it. Likewise
with your divers' license.

There is good reason for this. Your passport and drivers' license are,
in one sense, statements about you, not anyone else. Hence, they
shouldn't be usable by other people. But these statements about you
naturally grant you authority -- authority to drive a car legally or the
authority to leave the country. On a more fundamental level, they grant
the authority for the individual pictured to be identified as you. These
are all non-delegatable authorities by virtue of the included photo and
the infeasibility of impersonating your face.

These things exist in the real world presumably for good reason. 

Convince me that passports and drivers' licenses have no need to carry
your photo -- or more precisely, ought to be usable by people whose
faces don't match that pictured -- and I'll agree that non-delegatable
authorities have no use.

If otherwise, then I am forced to conclude that they are useful (at
least in the real world) and hence, that peoples' fears about giving up
control are justified (at least in the real world) -- e.g. peoples' (the
Government's ?) fears about giving up control over who is legally
allowed to drive, or to leave the country.

Of course, this is coming from a strong advocate of the object-cap model
who is (in this instance) trying to apply real-world insights about
real-world security to computer security, so this is certainly not  a
critique of the object-cap model nor capability security, both of which
I strongly believe in.

Cheers

Toby